• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Major bug in urlprotect found, anybody can kill your server!

J

jerry2

Guest
I am really pissed off! Fix the bugs!

I have enough of ignorance. I wrote about this error that ANYBODY can kill any application pool from a simple % in the address bar in browser and SWsoft ignores it:

http://forum.swsoft.com/showthread.php?t=54142

Now IO have updated from 8.4 to 8.6 just to find out that my MyODBC 5.1 I have been using for months doesn't work any more with Plesk 8.6. Why not? 5.1 is not beta, it is release for ages. And it worked before. I don't know why the driver can not be loaded, I have reinstalled myODBC several times, no help. 3.51 works, but I moved to the new version.

And don't tell me it is not supported. It woked from 7.5 on and now it doesn't. So my site is off, I can ot migrate from 8.6 back and I can not test if the ISAPI URLRewrite works or not now.

Any please don't tell me to write complex bug reports as the form is too long, I don't want to give credentials to my server and the bugs are easy tracable. The bug report is a big form that needs paid support, I don't have and I don't need one, but fix things. Plesk people can be happy we write about the problems here on the forum I think. It was their job in the first place.

And don't tell me nobody from Swsoft read this forum, becaue I know at least Sergius does.

Sorry about my voice, I never had such voice, I am really angry on SwSoft rigth now.

Jerry
 
The problem with ODBC can be fixed "by hand". The ODBC must be installed to the system folder, so one must use the ODBC 5.1 that is without installer and do it by hand.

I am sorry to inform you all that the urlprotect.dll isn't fixed. If you use protected folders anaybody give me your domain name and I'll kill your application pool in 10 seconds only with URL address bar (no hacking).

I think this is serious enough!
 
Yes, the statistics.exe doesn't work now also, as somebody else mentioned.
 
Thank you Sergius. PLEASE fix the urlprotect.dll ASAP and send me link to the new file. My application pool gets killed every few days by this, I am not sure if anybody reads this forums or the hacker bots make the dreaded % in URL's (not followed by 2 other digits) but they are killing the pools. I have now allowed 100 errors before it shuts down to "fix" this, but my servers and servers of anybody who use urlprotect.dll (protected folders) is at great risk. Thanks.
 
Jerry,

Whats new? Did you expect anything good to become of Plesk? I think they(Parallels) has a financial
issue and are falling apart. I truly beleive that they've(Parallels/SWSoft) has come to the point that
they no longer employ and 'what they term as engineers' software writers that know anything about...
well, writing good, solid, code.

I just purchased another Plesk license, renewed my SUS and support, to find that after I upgraded to
8.6.0, everything again seems to be hanging on by strings... about ready to crash.

I don't know how many of you are running Win2k8, oh its quite a joy! Try it! Then, read your event logs.
You'll be surprised your machine is even running yet and didn't come into a fatal system error. :))
 
I do not know about financial issues of SWSoft and I don't really care.

But the statistics doesn't work for me and anybody can break my server that's as good as running a bomb. And I can not go back to 8.4 :-( I migrated just because of DNS issues (security risks).
 
Gentlemen,

Please download updated module urlprotect.dll and copy it to the folder %plesk_bin%.
Please stop IIS before copying and start after.
Please backup old module before copying.

Any feedback is appreciated.
 
Seems it work on 8.6, I will try on 8.4 also.

Thank you. You can give me a free Plesk licence for finding this major bug :) I have lost the hair out of it.
 
Do you mean copy it to c:\program files\Swsoft\Plesk\isapi and not %plesk_bin% ?

Also looking at the file version this urlprotect.dll seems to be from Plesk 8.4 and is smaller in size slightly than the one with 8.6.
 
jerry2 said:
It works, yes put it in isapi of course.
Click to expand...

I tried putting urlprotect.dll in my isapi directory and after I restarted IIS, half my sites wouldn't load.

In fact, in the event log, I get a lot of these messages:

"Could not load all ISAPI filters for site/service. Therefore startup aborted."

Not good. Can we confirm where the file is supposed to go and if this file works at all?

-Eric
 
I tested your finding and my server is vulnerable, I tried to apply the updated urlprotect.dll but it didn't work with 8.6, I got the following error - Now I'm waiting for "Parallels" to solve the problem.

Event Type: Error
Event Source: W3SVC-WP
Event Category: None
Event ID: 2268
Date: 8/21/2008
Time: 9:15:30 PM
User: N/A
Computer: COMPUTERNAME
Description:
Could not load all ISAPI filters for site/service. Therefore startup aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e6 03 00 00 æ...
 
globalmcs said:
I tested your finding and my server is vulnerable, I tried to apply the updated urlprotect.dll but it didn't work with 8.6, I got the following error - Now I'm waiting for "Parallels" to solve the problem.

Event Type: Error
Event Source: W3SVC-WP
Event Category: None
Event ID: 2268
Date: 8/21/2008
Time: 9:15:30 PM
User: N/A
Computer: COMPUTERNAME
Description:
Could not load all ISAPI filters for site/service. Therefore startup aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e6 03 00 00 æ...
Click to expand...

This is exactly what I saw as well.

Parallels, please fix!!!!
 
You must log in or register to reply here.

Similar threads

PeopleInside
Issue with Google Drive Backup
Replies
7
Views
3K
PeopleInside
PeopleInside
H
Issue PHP-FPM - Service is not configured
Replies
2
Views
4K
Bitpalast
Bitpalast
E
Issue can not reach my second web server with plesk
Replies
2
Views
1K
mow
M
TimReeves
Forwarded to devs Nginx-only php location does not work for WordPress permalinks
Replies
11
Views
5K
Hockeychap
H
F
Issue Pretty bad problem: Server starts successfully and starts all services but stops them again.
Replies
1
Views
2K
Fuchur
F
Back
Top